December 2010 Security Bulletin Release

Hi everyone. As part of our usual cycle of monthly
security updates, today Microsoft is releasing 17 bulletins addressing 40
vulnerabilities in Microsoft Windows, Office, Internet Explorer, SharePoint
Server and Exchange. Two of those bulletins carry a Critical rating, while 14
are rated Important and one is rated Moderate.

We’ve assigned our highest deployment priority to the two
Critical bulletins, though we recommend that customers deploy all updates as
soon as possible.

  • MS10-090 This bulletin resolves seven issues — five Critical, two Moderate —
    affecting all supported versions of Internet Explorer, on both Windows clients
    and Windows servers. Among its other updates, it addresses a vulnerability
    previously described in Security Advisory 2458511.
  • MS10-091 This bulletin is Critical and addresses three vulnerabilities in Windows’
    OpenType Font driver. All three issues were privately reported and we are not
    aware of any active attacks using them.

As mentioned, the other 15 bulletins this month carry
lower severity ratings – including MS10-092, the bulletin that closes out the last known vulnerability exploited by
the Stuxnet malware. To assist in your planning and implementation of the
bulletins, please consult this month’s Deployment Priority chart (click for
larger view).

Jerry Bryant, group manager for response communications,
gives more information about the December bulletins in this overview video:


More information about this month’s security updates can
be found on the Microsoft Security Bulletin summary web page.  Our Exploitability Index provides additional information to help
customers plan for deployment of these monthly security bulletins.


We are also releasing updated Malicious Software Removal
Tool signatures this month. The MMPC blog goes into detail on QakBot, the subject of
this month’s update.

Finally, we invite everyone to join the monthly technical
webcast to learn more about the December 2010 security bulletin release. The webcast
is scheduled for Wednesday, December 15, 2010 at 11:00 a.m. PST (UTC
-8). Registration is available here.

Remember, you can follow the MSRC team for late-breaking
news and updates on the threat landscape on Twitter at @MSFTSecResponse.


Angela Gunn
Senior Marketing Communications Manager